BLOG: How Risk Based Vulnerability Management Can Help Insurers Mitigate Financial Losses

Risk-based Vulnerability Management is a method that helps insurers identify and mitigate the potential financial losses caused by security vulnerabilities in the systems they rely on. Risk-based vulnerability management aims to prioritize vulnerabilities based on the potential impact they could have on the business and apply resources to address the most critical issues first. This can help insurers reduce the risk of data breaches, cyber-attacks, and other security incidents that could result in significant financial losses.

Why Are Threat Actors Targeting Insurers?

Last year cybersecurity researchers found that the insurance industry is being targeted by various cyberattacks including ransomware, insurance fraud and hacktivist attacks.

The insurer industry possesses a large amount of Personally Identifiable Information (PII) on retail policyholders which is valuable for fraud and malicious purposes, which in turn makes it a huge priority for insurers to ensure they have the correct cybersecurity procedures in place. Insurance companies have a lot of sensitive information on their customers that can be used by criminals for fraud and other malicious activities. Policyholder data is also valuable, with identity document numbers and scans being highly valuable. Criminals can also use already compromised PII from other sources to try to obtain more PII from insurers’ quote tools, specifically for car insurance. Auto insurance companies are another target for attackers who can use the information for fraud. Criminals can also use previously compromised personal information to obtain more information from insurers’ automated quote tools for car insurance.

Ransomware operators are targeting companies that have cyber insurance coverage due to the perception that they are more likely to pay ransoms. This is because the details of the cyber insurance policy, including the maximum ransom amount covered, are useful to the operators. Ransomware attacks now also include a threat of data disclosure as an additional layer of extortion, putting more pressure on victims to pay ransoms to avoid losing customer confidence and potential legal consequences. An example of this was CNA Financial, which provides cyber insurance, reportedly paid a ransom fee of $40 million to the Phoenix CryptoLocker ransomware group after it gained initial access to an employee’s workstation through a malicious browser update.

Compromised personal information can be used by not just fraudsters but also state-sponsored threat actors for their operations and investigations. State-sponsored threat actors collect PII and store it in searchable databases, using it for human intelligence operations and signals intelligence collection. They monitor phone numbers and email addresses for select persons of interest and use PII for foreign intelligence officers’ search for human sources, and counterterrorism, counternarcotics, or other national security purposes. PII such as dates of birth, Social Security numbers and identity document numbers help analysts differentiate between individuals with the same name, making their operations easier. Hacktivists are also among the groups that target insurance companies with a political or ideological motive. According to cyber researchers, hacktivists usually attack financial institutions and government agencies of a specific country in an attempt to weaken its political and socio-economic structure.

How Can Risk-Based Vulnerability Management Help?

Risk-based vulnerability management starts with a risk assessment that identifies the systems and assets critical to the insurer’s business. This can include systems such as policy administration systems, claims processing systems, and customer data systems. The assessment then evaluates the potential impact of a security breach on each system and prioritizes the vulnerabilities based on their risk level.

Once the risks have been identified, the insurer can develop a remediation plan that addresses the most critical vulnerabilities first. In addition to remediation, risk-based vulnerability management also involves ongoing monitoring and management of vulnerabilities. This includes tracking new vulnerabilities as they are discovered, evaluating their impact on the business, and updating the remediation plan as needed. It is important to keep up with the latest security threats and to continuously assess the risk level of each vulnerability to ensure that the most critical issues are being addressed.

Risk-based vulnerability management can also help insurers improve their overall security posture by identifying gaps in their security infrastructure and processes. This can lead to the implementation of stronger security controls, such as firewalls, intrusion detection systems, and encryption, that can help prevent security incidents from occurring.

Patching software promptly is critical to avoiding the exploitation of vulnerabilities by hackers. Our research shows that 15% of exploited vulnerabilities were taken advantage of before the National Vulnerability Database published them or assigned a Common Vulnerability Scoring System score. This implies that any automated patching prioritization system dependent on the NVD leaves its users at risk during that crucial period.

Our Risk-Based Vulnerability Management feature enables you to concentrate on the tiny minority of Common Vulnerabilities and Exposures that pose a threat to you. By eliminating unnecessary distractions, you can concentrate your time and resources on truly important issues, significantly reducing cost and risk at the same time.

Risk-based Vulnerability Management is a crucial component of an insurer’s security strategy. It helps identify and mitigate the potential financial losses caused by security vulnerabilities, improves the overall security posture, and enables insurers to respond quickly and effectively to security incidents. By implementing risk-based vulnerability management, insurers can better protect their systems and assets, reduce the risk of data breaches, and minimize the financial impact of security incidents.

Learn more about our OVSS system and how we approach risk-based vulnerability management by downloading our latest whitepaper now

Key Takeaways:

• Our model continuously identifies whether any CVE is one of approximately 0.5% that are actually exploited
• Orpheus’ Machine Learning predicts which CVEs will be exploited in the future with a proven accuracy of up to 94%;
• Orpheus’ CVE Risk Score: dynamically fuses vulnerability, threat, business impacts and CVE risk, providing your organisation with a concise list of vulnerabilities for remediation.